Dropped.Generic.Malware.Sdld.C425D330_2dcafb3fa9 – Adaware

Trojan-Dropper.Win32.Sysn.cdcv (Kaspersky), Dropped:Generic.Malware.Sdld.C425D330 (B) (Emsisoft), Dropped:Generic.Malware.Sdld.C425D330 (AdAware), GenericIRCBot.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, IRCBot, Malware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 2dcafb3fa93f3f9d8d5af171328e97d1

SHA1: 941995b1124809ab03df37b791441a53f57d215d

SHA256: e731973cf0a1ae9f8f8d107952e6381db77983b120e5ba34c517b8539b9af7ee

SSDeep: 24576:/gFkg R9SDI5xJyyUACeB3gJxL9CC/XV/1VMvoDg3amvsITZP7:IKgI9SGJpU8BQPL9CeVSoDgqmRTZP7

Size: 1134249 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 1992-06-20 01:22:17

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Dynamic Analysis

Payload

Behaviour	Description
IRCBot	A bot can communicate with command and control servers via IRC channel.

Process activity

The Dropped creates the following process(es):

%original file name%.exe:2224

The Dropped injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:2224 makes changes in the file system.

The Dropped creates and/or writes to the following file(s):

C:\Windows\win32dc\FlatOut_fix.exe (11198 bytes)
C:\Windows\win32dc\Quake3_cdfix.exe (7547 bytes)
C:\Windows\win32dc\Silent Hill 4 cdfix.exe (10107 bytes)
C:\Windows\win32dc\Counter-Strike(serial).exe (7815 bytes)
C:\Windows\win32dc\BattleField 1942 codes.exe (7547 bytes)
C:\Windows\win32dc\Half-Life 2 patch.exe (7547 bytes)
C:\Windows\win32dc\Sims 2_cheat.exe (7547 bytes)
C:\Windows\win32dc\Silent Hill 4 serial.exe (7547 bytes)
C:\Windows\win32dc\UT2004(codes).exe (7547 bytes)
C:\Windows\win32dc\Doom 3 trainer.exe (9024 bytes)

Registry activity

Dropped PE files

MD5	File path
161ef859233be7d9ae58f39373299dbe	c:\Windows\win32dc\Counter-Strike(serial).exe
e52ef316aae4fefbacfcd7fb8cf44dad	c:\Windows\win32dc\Doom 3 trainer.exe
ce4cdf0fd067a1b16cf777c0c10bc34d	c:\Windows\win32dc\FlatOut_fix.exe
c70559309f4327b955f6c370020cd98c	c:\Windows\win32dc\Silent Hill 4 cdfix.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:2224
Delete the original Dropped file.
Delete or disinfect the following files created/modified by the Dropped:
C:\Windows\win32dc\FlatOut_fix.exe (11198 bytes)
C:\Windows\win32dc\Quake3_cdfix.exe (7547 bytes)
C:\Windows\win32dc\Silent Hill 4 cdfix.exe (10107 bytes)
C:\Windows\win32dc\Counter-Strike(serial).exe (7815 bytes)
C:\Windows\win32dc\BattleField 1942 codes.exe (7547 bytes)
C:\Windows\win32dc\Half-Life 2 patch.exe (7547 bytes)
C:\Windows\win32dc\Sims 2_cheat.exe (7547 bytes)
C:\Windows\win32dc\Silent Hill 4 serial.exe (7547 bytes)
C:\Windows\win32dc\UT2004(codes).exe (7547 bytes)
C:\Windows\win32dc\Doom 3 trainer.exe (9024 bytes)

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
CODE	4096	40592	40960	4.37354	4599c8e48266467f9472d9c0076da0aa
DATA	45056	416	512	2.59038	6723f313105be59e8f34015bac1ef0c6
BSS	49152	4493	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	57344	2332	2560	2.95832	1f3c6fef94d61a4d2beebca25d327785
.tls	61440	8	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	65536	24	512	0.129329	bf98d008e3e41c32258f4ddad0423dfc
.reloc	69632	2396	2560	4.48773	c247e5d4f27055db8d87da84767714bb
.rsrc	73728	1536	1536	2.62048	b115dc78febf3048a6accb9f8efeb1de

Dropped from:

8f46332afc342a1fe56786c602396e5a

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 2187
ef2d2eb0996329df1775d6f51f5b214a
fa718cee99caa7ded0db41592ebf7a67
e922a769fe7ad0e19e42c65b311ea6b3
ceb082fe53d615709efd38debee15f3a
c51bbf5ad597f0fc6b5772bfef556e76
8dbf9c23a207bf486a0d0892681728a6
8c186dcb8593e1c4dc469b2c2f2b4b74
896f1994684a01c251361617a5dd6cbe
76e344ea280f0036d4b180a5f1d7eef8
e20f21fadc5cfc7baba72a248b47a462
b68d59ebc3cb5470808294307d8c906e
b1df0e2628e2b3519a754c1ab3cf84ca
9a126dee8c14343f3e34917748f5e7b0
9793bc540ca9c8cc692ee015599e0c7e
1cd30c3539cdaa0e8119135ebf416759
ca4b332d0e077db4beab2ab38f6d34dd
c534a5e7401909feee6bd2ea3f9ed590
9511b36c9bbee52e672af861b37ac14a
c1a09749010b68a2824248060a7b9a56
b3dda43b6257884c6a63b16b56acf147
ab3266127cfa953df4419c2960dde91a
9440dee414ca50a287bf03dbf0228832
847486e7d316d15ec1e63a5f70de0922
6248453638d3b77e23cb6d0ea8cc66cb
080d9615f852fa07becffd9cf5d332f9
ebb3bd6a257690f8b7330557b132306f

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Dropped connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_2224:

.idata

.rdata

P.reloc

P.rsrc

PRIVMSG

JOIN

PRIVMSG

:File Executed

(netbios_invalidpass:

File(%cur%\

File(%sys%\

rndnick

NICK

join

%sys%\

%cur%\

%rnddir%\%rand%.exe

system.ini

explorer.exe

.com "win2k" :

DCPlusPlus.xml

dcplusplus.xml

%sys%

%cur%

\WINDOWS\Start Menu\Programs\Startup\

netapi32.dll

%rnddir%\%rand%.com

irc.lcirc.net

kernel32.dll

user32.dll

GetKeyboardType

advapi32.dll

RegOpenKeyExA

RegCloseKey

oleaut32.dll

GetWindowsDirectoryA

mpr.dll

wsock32.dll

shell32.dll

ShellExecuteA

wininet.dll

URLMON.DLL

URLDownloadToFileA

KWindows

&pWebServer